Kaspersky Endpoint Security Cloud Data Processing Agreement


Kaspersky Endpoint Security Cloud


Kaspersky Endpoint Security Cloud Data Processing Agreement

Back to "Licensing"
Latest update: May 24, 2018 ID: 14533


This data processing agreement ("DPA") forms an integral part of the Kaspersky Endpoint Security Cloud Agreement ("Agreement") on provision of the Kaspersky Endpoint Security Cloud ("Product") between Kaspersky Lab and User. The attached annex(es) and appendices supplement the terms of this DPA. If the parties previously entered into a data processing agreement for Product, this DPA shall now supersede the foregoing.

All terms used in this DPA have the same meaning as in the Agreement. Terms used here with reference to the EU General Data Protection Regulation (2016/679), such as "personal data breach," "processing," "controller," "processor," and "data subject," will have the same meaning as set forth in Article 4 of the GDPR.

This DPA specifies the terms and conditions for activities of commissioned processing of User Data, especially in relation to the processing of personal data ("Personal Data") included in User Data, in connection with the Agreement.

1. Scope and Roles

1.1. This DPA applies to the processing of User Data by Kaspersky Lab on behalf of User.

1.2. User and Kaspersky Lab agree that User is the controller ("Controller") of User Data and Kaspersky Lab is the processor ("Processor") of such data.

1.3. This DPA does not limit or reduce any data protection commitments Kaspersky Lab makes to User in the Agreement or other agreement between User and Kaspersky Lab and/or its Partners.

1.4. User Data will be used only for the purpose of providing User with the Product, including purposes necessary to and consistent with providing the Product, as specified in the Annex 1 of this DPA. User retains all right, title, and interest in and to User Data. Kaspersky Lab does not acquire any rights in User Data other than the rights necessary to provide the Product to the User.

1.5. DPA will remain in full force and effect until all of the User Data is deleted or extracted from Kaspersky Lab's systems in accordance with the Agreement and Annex 1 of this DPA.

1.6. This DPA does not apply where Kaspersky Lab is a controller processed data.

1.7. Before using the Product, the User must specify the location of its organization. The specified location of the organization will determine where the User Data will be processed according to the Online Help by Kaspersky Lab or its affiliates or sub-contractors. In accordance with this instruction User appoints Kaspersky Lab to perform transfer of User Data to the chosen location and to store and process User Data in order to provide the Product. Kaspersky Lab does not control or limit the regions from which User or User's end users may access or move User Data.

1.8. When providing technical support service to User, Kaspersky Lab will have access to the User Data from Russia.

1.9. Annex 2 to this DPA is the Standard Contractual Clauses (processors), which are based on the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to processors established in third countries, under Directive 95/46/EC). Standard Contractual Clauses apply to the transfer and processing of Personal Data outside of the EEA to a third country which does not otherwise provide adequate protection for personal data, in the course of providing the Product. Standard Contractual Clauses shall prevail over any conflicting section of the DPA and/or the Agreement.

2. Kaspersky Lab Obligations

2.1. Kaspersky Lab shall not engage another processor without prior specific or general written authorization of User. In the case of general written authorization, Kaspersky Lab shall inform User of any intended changes concerning the addition or replacement of other processors, thereby giving User the opportunity to object to such changes.

2.2. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of User Data, the categories of data subjects and the obligations and rights of the User are set forth in the Agreement, including this DPA. In particular, Kaspersky Lab shall:

  • process User Data, including with regard to transfers of User Data to a third country or an international organization, only in accordance with User's instructions within the scope of and for purposes of Product as described in the Agreement and this DPA. The Agreement including this DPA, along with User's use and configuration of features in the Product, are User's complete instructions to Kaspersky Lab for the processing of User Data;
  • ensure that persons authorized to process the User Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • take all measures required pursuant to Article 32 of the GDPR;
  • respect the conditions for engaging another processor;
  • taking into account the nature of the processing, assist User by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the User's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
  • assist User in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Kaspersky Lab;
  • at the choice of User, delete or return all the User Data to User after the end of the provision of Product, and delete existing copies;
  • make available to User all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by User or another auditor mandated by User.


2.3. Kaspersky Lab shall notify User without undue delay after becoming aware of a personal data breach in a form required by the law. Notification(s) will be delivered to one or more of User’s administrators by any means Kaspersky Lab selects, including via email. It is User’s sole responsibility to ensure User’s administrators maintain accurate contact information. Obligation to report or respond about a personal data breach is not an acknowledgement by Kaspersky Lab of any fault or liability with respect to that a personal data breach.

2.4. Kaspersky Lab shall implement and maintain appropriate technical and organizational measures intended to protect User Data as described in Annex 1 Subsection 2 of this DPA against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction. The technical and organizational measures are subject to technical progress and development. Kaspersky Lab may implement adequate alternative measures that provide at least the same level of security as the specified measures.

2.5. User and Kaspersky Lab shall take steps to ensure that any person acting under the authority of User or Kaspersky Lab who has access to User Data does not process them except on instructions from User.

3. User Obligations

3.1. User shall be responsible for compliance with applicable data protection regulations and laws including but not limited to all transfer of User Data to Kaspersky Lab.

3.2. User may notify Kaspersky Lab in written form and within thirty (30) days after expiration or termination of the User license extract User Data by reasonable measures or delete the stored User Data. User shall notify Kaspersky Lab without undue delay, if User is unable to retrieve User Data within this time period. After the time period has elapsed without notification by User, Kaspersky Lab shall delete all stored User Data, unless Kaspersky Lab is legally prohibited to do so.

4. User Audit

4.1. User shall be allowed to audit Kaspersky Lab's compliance with Kaspersky Lab's obligations under this DPA as required by applicable data protection laws. For this purpose, Kaspersky Lab shall reasonably support User and upon written request by User provide the necessary information.

4.2. After notifying Kaspersky Lab at least five weeks in advance, User may also conduct the audit by an on-site inspection of Kaspersky Lab's data processing facilities and activities during regular business hours and without serious interruption of Kaspersky Lab's daily operations. To conduct the audit on its behalf, User may also select a sufficiently qualified independent third party auditor, who has been obligated to confidentiality and shall not be a competitor of Kaspersky Lab.

4.3. User shall document the audit process and provide Kaspersky Lab with a report on all determined breaches of Kaspersky Lab's obligations under this DPA, if applicable. User and Kaspersky Lab will agree on reasonable measures to ensure future compliance.

4.4. User shall bear all costs for conducting audits and will reimburse Kaspersky Lab for any personal resources expended to support the audit at Kaspersky Lab's then current professional services rates.

5. Sub-processing

5.1. User authorizes Kaspersky Lab to engage sub-processors for the processing of User Data in accordance with this DPA. A list of current sub-processors is available under the following URL https://help.kaspersky.com/Cloud/1.0/en-US/172033.htm. At least fourteen (14) days before authorizing any new sub-processor to access User Data, Kaspersky Lab will provide the notice to User about it.

5.2. Kaspersky Lab will ensure that sub-processors are bound by written agreements that require them to provide at least the level of data protection required of Kaspersky Lab by this DPA.

6. Severability

6.1. The term of this DPA follows the term of the Agreement. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.





Was this information helpful?
Yes No
Thank you


How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.